<div dir="ltr"><div dir="ltr"><div class="gmail_quote"><div>Adding charon_debug.log:</div><div><div>Tue, 2021-03-09, %H:32:09 00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 5.5.0-kali2-amd64, x86_64)</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'aesni': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'aes': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'rc2': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sha2': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sha1': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'md5': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'mgf1': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'random': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'nonce': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'x509': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'revocation': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'constraints': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pubkey': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs1': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs7': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs8': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs12': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pgp': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'dnskey': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sshkey': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pem': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'openssl': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'fips-prf': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'gmp': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'agent': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'xcbc': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'hmac': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'gcm': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'drbg': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'attr': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'kernel-netlink': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'resolve': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'socket-default': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'connmark': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'stroke': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'updown': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'eap-mschapv2': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'xauth-generic': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'counters': loaded successfully</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] known interfaces and IP addresses:</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] lo</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] 127.0.0.1</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] ::1</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] eth0</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] 10.100.1.66</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] fe80::7ddb:e857:c734:34bf</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] fe80::435e:56e6:3941:5794</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] fe80::e8af:3339:4054:be35</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] eth1</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] 192.19.22.10</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] fe80::4d93:72c5:862e:b87f</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] ciscogl</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] 172.19.22.10</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] fe80::ac43:a10d:f6a4:d424</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] docker0</div><div>Tue, 2021-03-09, %H:32:09 00[KNL] 172.17.0.1</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet dependency: PUBKEY:BLISS</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loaded ca certificate "C=CA, CN=Root CA, ST=ON, L=Ottawa, O=Lightship Security, OU=CC1903" from '/etc/ipsec.d/cacerts/ca.cert.pem'</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loading crls from '/etc/ipsec.d/crls'</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loading secrets from '/etc/ipsec.secrets'</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed</div><div>Tue, 2021-03-09, %H:32:09 00[CFG] loaded IKE secret for %any</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)</div><div>Tue, 2021-03-09, %H:32:09 00[LIB] dropped capabilities, running as uid 0, gid 0</div><div>Tue, 2021-03-09, %H:32:09 00[JOB] spawning 16 worker threads</div><div>Tue, 2021-03-09, %H:32:09 01[LIB] created thread 01 [25657]</div><div>Tue, 2021-03-09, %H:32:09 02[LIB] created thread 02 [25658]</div><div>Tue, 2021-03-09, %H:32:09 03[LIB] created thread 03 [25656]</div><div>Tue, 2021-03-09, %H:32:09 04[LIB] created thread 04 [25659]</div><div>Tue, 2021-03-09, %H:32:09 05[LIB] created thread 05 [25660]</div><div>Tue, 2021-03-09, %H:32:09 06[LIB] created thread 06 [25655]</div><div>Tue, 2021-03-09, %H:32:09 07[LIB] created thread 07 [25661]</div><div>Tue, 2021-03-09, %H:32:09 08[LIB] created thread 08 [25662]</div><div>Tue, 2021-03-09, %H:32:09 09[LIB] created thread 09 [25654]</div><div>Tue, 2021-03-09, %H:32:09 10[LIB] created thread 10 [25663]</div><div>Tue, 2021-03-09, %H:32:09 11[LIB] created thread 11 [25664]</div><div>Tue, 2021-03-09, %H:32:09 12[LIB] created thread 12 [25665]</div><div>Tue, 2021-03-09, %H:32:09 13[LIB] created thread 13 [25666]</div><div>Tue, 2021-03-09, %H:32:09 14[LIB] created thread 14 [25653]</div><div>Tue, 2021-03-09, %H:32:09 15[LIB] created thread 15 [25667]</div><div>Tue, 2021-03-09, %H:32:09 16[LIB] created thread 16 [25652]</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] received stroke: add connection 'VPNPeer'</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] conn VPNPeer</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] left=192.19.22.10</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] leftauth=psk</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] leftupdown=ipsec _updown iptables</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] right=192.19.22.1</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] rightauth=psk</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] ike=aes256-sha1-modp2048 !</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] esp=aes128-sha1-modp2048 !</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] dpddelay=30</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] dpdtimeout=150</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] sha256_96=no</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] mediation=no</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] keyexchange=ikev1</div><div>Tue, 2021-03-09, %H:32:09 05[KNL] 192.19.22.1 is not a local address or the interface is down</div><div>Tue, 2021-03-09, %H:32:09 05[CFG] added configuration 'VPNPeer'</div><div>Tue, 2021-03-09, %H:32:17 07[NET] <1> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (244 bytes)</div><div>Tue, 2021-03-09, %H:32:17 07[ENC] <1> parsed ID_PROT request 0 [ SA V V V V ]</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> looking for an IKEv1 config for 192.19.22.10...192.19.22.1</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> candidate: 192.19.22.10...192.19.22.1, prio 3100</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> found matching ike config: 192.19.22.10...192.19.22.1 with prio 3100</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> received NAT-T (RFC 3947) vendor ID</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> 192.19.22.1 is initiating a Main Mode IKE_SA</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> selecting proposal:</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> proposal matches</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:32:17 07[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending XAuth vendor ID</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending DPD vendor ID</div><div>Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending NAT-T (RFC 3947) vendor ID</div><div>Tue, 2021-03-09, %H:32:17 07[ENC] <1> generating ID_PROT response 0 [ SA V V V ]</div><div>Tue, 2021-03-09, %H:32:17 07[NET] <1> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (136 bytes)</div><div>Tue, 2021-03-09, %H:32:17 08[NET] <1> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (412 bytes)</div><div>Tue, 2021-03-09, %H:32:17 08[ENC] <1> parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]</div><div>Tue, 2021-03-09, %H:32:17 08[IKE] <1> received DPD vendor ID</div><div>Tue, 2021-03-09, %H:32:17 08[ENC] <1> received unknown vendor ID: 10:f9:6f:0a:50:a5:1b:9c:da:5b:9b:ec:f8:f8:1e:3e</div><div>Tue, 2021-03-09, %H:32:17 08[IKE] <1> received XAuth vendor ID</div><div>Tue, 2021-03-09, %H:32:17 08[LIB] <1> size of DH secret exponent: 2047 bits</div><div>Tue, 2021-03-09, %H:32:17 08[CFG] <1> candidate "VPNPeer", match: 1/1/3100 (me/other/ike)</div><div>Tue, 2021-03-09, %H:32:17 08[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]</div><div>Tue, 2021-03-09, %H:32:17 08[NET] <1> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (372 bytes)</div><div>Tue, 2021-03-09, %H:32:17 09[NET] <1> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (108 bytes)</div><div>Tue, 2021-03-09, %H:32:17 09[ENC] <1> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]</div><div>Tue, 2021-03-09, %H:32:17 09[CFG] <1> looking for pre-shared key peer configs matching 192.19.22.10...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:32:17 09[CFG] <1> candidate "VPNPeer", match: 1/20/3100 (me/other/ike)</div><div>Tue, 2021-03-09, %H:32:17 09[CFG] <1> selected peer config "VPNPeer"</div><div>Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] established between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state change: CONNECTING => ESTABLISHED</div><div>Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> scheduling reauthentication in 86400s</div><div>Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> maximum IKE_SA lifetime 86400s</div><div>Tue, 2021-03-09, %H:32:17 09[ENC] <VPNPeer|1> generating ID_PROT response 0 [ ID HASH ]</div><div>Tue, 2021-03-09, %H:32:17 09[NET] <VPNPeer|1> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (76 bytes)</div><div>Tue, 2021-03-09, %H:32:17 11[NET] <VPNPeer|1> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (444 bytes)</div><div>Tue, 2021-03-09, %H:32:17 11[ENC] <VPNPeer|1> parsed QUICK_MODE request 256501508 [ HASH SA No KE ID ID ]</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> looking for a child config for <a href="http://192.19.22.10/32">192.19.22.10/32</a> === <a href="http://192.19.22.1/32">192.19.22.1/32</a></div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposing traffic selectors for us:</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> <a href="http://192.19.22.10/32">192.19.22.10/32</a></div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposing traffic selectors for other:</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> <a href="http://192.19.22.1/32">192.19.22.1/32</a></div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> candidate "VPNPeer" with prio 5+5</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> found matching child config "VPNPeer" with prio 10</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting traffic selectors for other:</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> config: <a href="http://192.19.22.1/32">192.19.22.1/32</a>, received: <a href="http://192.19.22.1/32">192.19.22.1/32</a> => match: <a href="http://192.19.22.1/32">192.19.22.1/32</a></div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting traffic selectors for us:</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> config: <a href="http://192.19.22.10/32">192.19.22.10/32</a>, received: <a href="http://192.19.22.10/32">192.19.22.10/32</a> => match: <a href="http://192.19.22.10/32">192.19.22.10/32</a></div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting proposal:</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposal matches</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ</div><div>Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ</div><div>Tue, 2021-03-09, %H:32:17 11[IKE] <VPNPeer|1> received 1000000000 lifebytes, configured 0</div><div>Tue, 2021-03-09, %H:32:17 11[LIB] <VPNPeer|1> size of DH secret exponent: 2047 bits</div><div>Tue, 2021-03-09, %H:32:17 11[KNL] <VPNPeer|1> got SPI c8bf9eca</div><div>Tue, 2021-03-09, %H:32:17 11[ENC] <VPNPeer|1> generating QUICK_MODE response 256501508 [ HASH SA No KE ID ID ]</div><div>Tue, 2021-03-09, %H:32:17 11[NET] <VPNPeer|1> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (444 bytes)</div><div>Tue, 2021-03-09, %H:32:17 12[NET] <VPNPeer|1> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (60 bytes)</div><div>Tue, 2021-03-09, %H:32:17 12[ENC] <VPNPeer|1> parsed QUICK_MODE request 256501508 [ HASH ]</div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state change: CREATED => INSTALLING</div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> using AES_CBC for encryption</div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> using HMAC_SHA1_96 for integrity</div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> adding inbound ESP SA</div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> SPI 0xc8bf9eca, src 192.19.22.1 dst 192.19.22.10</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding SAD entry with SPI c8bf9eca and reqid {1}</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using encryption algorithm AES_CBC with key size 128</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using integrity algorithm HMAC_SHA1_96 with key size 160</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using replay window of 32 packets</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> HW offload: no</div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> adding outbound ESP SA</div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> SPI 0x2d5a8f29, src 192.19.22.10 dst 192.19.22.1</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding SAD entry with SPI 2d5a8f29 and reqid {1}</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using encryption algorithm AES_CBC with key size 128</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using integrity algorithm HMAC_SHA1_96 with key size 160</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using replay window of 0 packets</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> HW offload: no</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy <a href="http://192.19.22.1/32">192.19.22.1/32</a> === <a href="http://192.19.22.10/32">192.19.22.10/32</a> in [priority 367231, refcount 1]</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy <a href="http://192.19.22.1/32">192.19.22.1/32</a> === <a href="http://192.19.22.10/32">192.19.22.10/32</a> fwd [priority 367231, refcount 1]</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy <a href="http://192.19.22.10/32">192.19.22.10/32</a> === <a href="http://192.19.22.1/32">192.19.22.1/32</a> out [priority 367231, refcount 1]</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting a local address in traffic selector <a href="http://192.19.22.10/32">192.19.22.10/32</a></div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using host 192.19.22.10</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface name for index 3</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using 192.19.22.1 as nexthop and eth1 as dev to reach <a href="http://192.19.22.1/32">192.19.22.1/32</a></div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> installing route: <a href="http://192.19.22.1/32">192.19.22.1/32</a> via 192.19.22.1 src 192.19.22.10 dev eth1</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface index for eth1</div><div>Tue, 2021-03-09, %H:32:17 12[IKE] <VPNPeer|1> CHILD_SA VPNPeer{1} established with SPIs c8bf9eca_i 2d5a8f29_o and TS <a href="http://192.19.22.10/32">192.19.22.10/32</a> === <a href="http://192.19.22.1/32">192.19.22.1/32</a></div><div>Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state change: INSTALLING => INSTALLED</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface name for index 3</div><div>Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using 192.19.22.1 as nexthop and eth1 as dev to reach <a href="http://192.19.22.1/32">192.19.22.1/32</a></div><div>Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying SAD entry with SPI c8bf9eca</div><div>Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy <a href="http://192.19.22.1/32">192.19.22.1/32</a> === <a href="http://192.19.22.10/32">192.19.22.10/32</a> in</div><div>Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy <a href="http://192.19.22.1/32">192.19.22.1/32</a> === <a href="http://192.19.22.10/32">192.19.22.10/32</a> fwd</div><div>Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying SAD entry with SPI 2d5a8f29</div><div>Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy <a href="http://192.19.22.10/32">192.19.22.10/32</a> === <a href="http://192.19.22.1/32">192.19.22.1/32</a> out</div><div>Tue, 2021-03-09, %H:37:17 05[NET] <VPNPeer|1> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (92 bytes)</div><div>Tue, 2021-03-09, %H:37:17 05[ENC] <VPNPeer|1> parsed INFORMATIONAL_V1 request 3632002282 [ HASH N(DPD) ]</div><div>Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> queueing ISAKMP_DPD task</div><div>Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating new tasks</div><div>Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating ISAKMP_DPD task</div><div>Tue, 2021-03-09, %H:37:17 05[ENC] <VPNPeer|1> generating INFORMATIONAL_V1 request 840089277 [ HASH N(DPD_ACK) ]</div><div>Tue, 2021-03-09, %H:37:17 05[NET] <VPNPeer|1> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (92 bytes)</div><div>Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating new tasks</div><div>Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> nothing to initiate</div><div>Tue, 2021-03-09, %H:38:37 07[NET] <VPNPeer|1> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (92 bytes)</div><div>Tue, 2021-03-09, %H:38:37 07[ENC] <VPNPeer|1> parsed INFORMATIONAL_V1 request 2900110358 [ HASH D ]</div><div>Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> received DELETE for IKE_SA VPNPeer[1]</div><div>Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> deleting IKE_SA VPNPeer[1] between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state change: ESTABLISHED => DELETING</div><div>Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state change: DELETING => DELETING</div><div>Tue, 2021-03-09, %H:38:37 08[NET] <2> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (244 bytes)</div><div>Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state change: DELETING => DESTROYING</div><div>Tue, 2021-03-09, %H:38:37 07[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state change: INSTALLED => DESTROYING</div><div>Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy <a href="http://192.19.22.10/32">192.19.22.10/32</a> === <a href="http://192.19.22.1/32">192.19.22.1/32</a> out</div><div>Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy <a href="http://192.19.22.1/32">192.19.22.1/32</a> === <a href="http://192.19.22.10/32">192.19.22.10/32</a> in</div><div>Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy <a href="http://192.19.22.1/32">192.19.22.1/32</a> === <a href="http://192.19.22.10/32">192.19.22.10/32</a> fwd</div><div>Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting SAD entry with SPI c8bf9eca</div><div>Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleted SAD entry with SPI c8bf9eca</div><div>Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting SAD entry with SPI 2d5a8f29</div><div>Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleted SAD entry with SPI 2d5a8f29</div><div>Tue, 2021-03-09, %H:38:37 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V ]</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> looking for an IKEv1 config for 192.19.22.10...192.19.22.1</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> candidate: 192.19.22.10...192.19.22.1, prio 3100</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> found matching ike config: 192.19.22.10...192.19.22.1 with prio 3100</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> received NAT-T (RFC 3947) vendor ID</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> 192.19.22.1 is initiating a Main Mode IKE_SA</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> selecting proposal:</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> proposal matches</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:38:37 08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending XAuth vendor ID</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending DPD vendor ID</div><div>Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending NAT-T (RFC 3947) vendor ID</div><div>Tue, 2021-03-09, %H:38:37 08[ENC] <2> generating ID_PROT response 0 [ SA V V V ]</div><div>Tue, 2021-03-09, %H:38:37 08[NET] <2> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (136 bytes)</div><div>Tue, 2021-03-09, %H:38:37 09[NET] <2> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (412 bytes)</div><div>Tue, 2021-03-09, %H:38:37 09[ENC] <2> parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]</div><div>Tue, 2021-03-09, %H:38:37 09[IKE] <2> received DPD vendor ID</div><div>Tue, 2021-03-09, %H:38:37 09[ENC] <2> received unknown vendor ID: 10:f9:6f:0a:02:d3:cc:91:9c:61:7d:60:6f:41:1f:c8</div><div>Tue, 2021-03-09, %H:38:37 09[IKE] <2> received XAuth vendor ID</div><div>Tue, 2021-03-09, %H:38:37 09[LIB] <2> size of DH secret exponent: 2047 bits</div><div>Tue, 2021-03-09, %H:38:37 09[CFG] <2> candidate "VPNPeer", match: 1/1/3100 (me/other/ike)</div><div>Tue, 2021-03-09, %H:38:37 09[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]</div><div>Tue, 2021-03-09, %H:38:37 09[NET] <2> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (372 bytes)</div><div>Tue, 2021-03-09, %H:38:37 11[NET] <2> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (76 bytes)</div><div>Tue, 2021-03-09, %H:38:37 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]</div><div>Tue, 2021-03-09, %H:38:37 11[CFG] <2> looking for pre-shared key peer configs matching 192.19.22.10...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:38:37 11[CFG] <2> candidate "VPNPeer", match: 1/20/3100 (me/other/ike)</div><div>Tue, 2021-03-09, %H:38:37 11[CFG] <2> selected peer config "VPNPeer"</div><div>Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] established between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state change: CONNECTING => ESTABLISHED</div><div>Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> scheduling reauthentication in 86400s</div><div>Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> maximum IKE_SA lifetime 86400s</div><div>Tue, 2021-03-09, %H:38:37 11[ENC] <VPNPeer|2> generating ID_PROT response 0 [ ID HASH ]</div><div>Tue, 2021-03-09, %H:38:37 11[NET] <VPNPeer|2> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (76 bytes)</div><div>Tue, 2021-03-09, %H:39:15 15[CFG] received stroke: terminate 'VPNPeer'</div><div>Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> queueing ISAKMP_DELETE task</div><div>Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> activating new tasks</div><div>Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> activating ISAKMP_DELETE task</div><div>Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> deleting IKE_SA VPNPeer[2] between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> sending DELETE for IKE_SA VPNPeer[2]</div><div>Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state change: ESTABLISHED => DELETING</div><div>Tue, 2021-03-09, %H:39:15 05[ENC] <VPNPeer|2> generating INFORMATIONAL_V1 request 1114736905 [ HASH D ]</div><div>Tue, 2021-03-09, %H:39:15 05[NET] <VPNPeer|2> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (92 bytes)</div><div>Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state change: DELETING => DESTROYING</div><div>Tue, 2021-03-09, %H:39:15 07[NET] <3> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (244 bytes)</div><div>Tue, 2021-03-09, %H:39:15 07[ENC] <3> parsed ID_PROT request 0 [ SA V V V V ]</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> looking for an IKEv1 config for 192.19.22.10...192.19.22.1</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> candidate: 192.19.22.10...192.19.22.1, prio 3100</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> found matching ike config: 192.19.22.10...192.19.22.1 with prio 3100</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> received NAT-T (RFC 3947) vendor ID</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> 192.19.22.1 is initiating a Main Mode IKE_SA</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> selecting proposal:</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> proposal matches</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:39:15 07[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending XAuth vendor ID</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending DPD vendor ID</div><div>Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending NAT-T (RFC 3947) vendor ID</div><div>Tue, 2021-03-09, %H:39:15 07[ENC] <3> generating ID_PROT response 0 [ SA V V V ]</div><div>Tue, 2021-03-09, %H:39:15 07[NET] <3> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (136 bytes)</div><div>Tue, 2021-03-09, %H:39:15 08[NET] <3> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (412 bytes)</div><div>Tue, 2021-03-09, %H:39:15 08[ENC] <3> parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]</div><div>Tue, 2021-03-09, %H:39:15 08[IKE] <3> received DPD vendor ID</div><div>Tue, 2021-03-09, %H:39:15 08[ENC] <3> received unknown vendor ID: 10:f9:6f:0a:d5:5e:d6:1c:e6:59:75:2b:e7:46:d2:a4</div><div>Tue, 2021-03-09, %H:39:15 08[IKE] <3> received XAuth vendor ID</div><div>Tue, 2021-03-09, %H:39:15 08[LIB] <3> size of DH secret exponent: 2047 bits</div><div>Tue, 2021-03-09, %H:39:15 08[CFG] <3> candidate "VPNPeer", match: 1/1/3100 (me/other/ike)</div><div>Tue, 2021-03-09, %H:39:15 08[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]</div><div>Tue, 2021-03-09, %H:39:15 08[NET] <3> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (372 bytes)</div><div>Tue, 2021-03-09, %H:39:15 09[NET] <3> received packet: from 192.19.22.1[500] to 192.19.22.10[500] (76 bytes)</div><div>Tue, 2021-03-09, %H:39:15 09[ENC] <3> parsed ID_PROT request 0 [ ID HASH ]</div><div>Tue, 2021-03-09, %H:39:15 09[CFG] <3> looking for pre-shared key peer configs matching 192.19.22.10...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:39:15 09[CFG] <3> candidate "VPNPeer", match: 1/20/3100 (me/other/ike)</div><div>Tue, 2021-03-09, %H:39:15 09[CFG] <3> selected peer config "VPNPeer"</div><div>Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] established between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state change: CONNECTING => ESTABLISHED</div><div>Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> scheduling reauthentication in 86400s</div><div>Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> maximum IKE_SA lifetime 86400s</div><div>Tue, 2021-03-09, %H:39:15 09[ENC] <VPNPeer|3> generating ID_PROT response 0 [ ID HASH ]</div><div>Tue, 2021-03-09, %H:39:15 09[NET] <VPNPeer|3> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (76 bytes)</div><div>Tue, 2021-03-09, %H:39:17 00[DMN] signal of type SIGINT received. Shutting down</div><div>Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> queueing ISAKMP_DELETE task</div><div>Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> activating new tasks</div><div>Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> activating ISAKMP_DELETE task</div><div>Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> deleting IKE_SA VPNPeer[3] between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]</div><div>Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> sending DELETE for IKE_SA VPNPeer[3]</div><div>Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state change: ESTABLISHED => DELETING</div><div>Tue, 2021-03-09, %H:39:17 00[ENC] <VPNPeer|3> generating INFORMATIONAL_V1 request 590983238 [ HASH D ]</div><div>Tue, 2021-03-09, %H:39:17 00[NET] <VPNPeer|3> sending packet: from 192.19.22.10[500] to 192.19.22.1[500] (92 bytes)</div><div>Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state change: DELETING => DESTROYING</div></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
Message: 1<br>
Date: Tue, 9 Mar 2021 11:50:44 -0500<br>
From: Sean B <<a href="mailto:sb3957312@gmail.com" target="_blank">sb3957312@gmail.com</a>><br>
To: <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
Subject: [strongSwan] IKEv1 Phase 1 rekey deletes Phase 2 SAs<br>
Message-ID:<br>
<CA+c0=<a href="mailto:jf_1QpkV9HTx_QLNyDoHSsFq2eWkN7SDwMEfVSciTEVrg@mail.gmail.com" target="_blank">jf_1QpkV9HTx_QLNyDoHSsFq2eWkN7SDwMEfVSciTEVrg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi Strongswan-users,<br>
<br>
I have a set up that requires IKEv1 and I'm running into a problem when the<br>
IKEv1 Phase 1 (IKE SA) rekeys. Phase 1 appears to rekey correctly, but<br>
deletes the Phase 2 SAs.<br>
Based on the following website, IPsec SAs are supposed to be adopted by the<br>
new IKE SA and not recreated:<br>
<a href="https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey</a><br>
*"IKEv1* SAs are also rekeyed/reauthenticated using a make-before-break<br>
scheme, however, only the IKE SA is affected. IPsec SAs are adopted by the<br>
new IKE SA and not recreated."<br>
<br>
In this setup the Strongswan (192.19.22.10) is configured as the Responder<br>
and a Cisco IOS (192.19.22.1) device as the Initiator.<br>
The initial connection is established, and the traffic is sent ESP<br>
encapsulated. The initiator attempts to rekey the IKE SA, and appears to<br>
succeed.<br>
Both the Initiator and the Responder are shown with the new IKE SA SPIs,<br>
but during the IKE SA rekey Strongswan deletes the SAD entries for the<br>
IPsec SAs.<br>
<br>
Can someone please assist with troubleshooting this issue?<br>
I am unable to determine if this is due to a configuration with the<br>
connections in ipsec.conf, a setting in charon.conf, or if this is an issue<br>
with how Cisco IOS attempts to rekey IKE SAs.<br>
Cisco appears to be sending a DELETE message as per<br>
<a href="https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.2" rel="noreferrer" target="_blank">https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.2</a>.<br>
<br>
I've included the 'ipsec statusall' outputs, ipsec.conf, and<br>
charon_debug.log<br>
(I've added charon_debug.log as an attachment, would it have been better to<br>
copy and paste into the body of the email?)<br>
#####<br>
# ipsec.conf - strongSwan IPsec configuration file<br>
<br>
# basic configuration<br>
config setup<br>
# strictcrlpolicy=yes<br>
# uniqueids = no<br>
<br>
# Add connections here.<br>
conn VPNPeer<br>
leftfirewall=yes<br>
keyexchange=ikev1<br>
<br>
# Phase 1 settings<br>
ikelifetime=24h<br>
margintime=0<br>
rekeyfuzz=0%<br>
lifetime=8h<br>
ike=aes256-sha1-modp2048 !<br>
<br>
# Phase 2<br>
esp=aes128-sha1-modp2048 !<br>
<br>
left=192.19.22.10<br>
right=192.19.22.1<br>
<br>
authby=psk<br>
<br>
type=tunnel<br>
<br>
auto=add<br>
<br>
# Rekeying<br>
#rekey=no<br>
<br>
include /var/lib/strongswan/ipsec.conf.inc<br>
<br>
<br>
#####<br>
Here are the results from 'ipsec statusall':<br>
Initial connection:<br>
#ipsec statusall<br>
<br>
Status of IKE charon daemon (weakSwan 5.8.4, Linux 5.5.0-kali2-amd64,<br>
x86_64):<br>
uptime: 20 seconds, since Mar 09 13:32:08 2021<br>
malloc: sbrk 1622016, mmap 0, used 610688, free 1011328<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,<br>
scheduled: 3<br>
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509<br>
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey<br>
pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink<br>
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic<br>
counters<br>
<br>
Listening IP addresses:<br>
192.19.22.10<br>
172.19.22.10<br>
172.17.0.1<br>
Connections:<br>
VPNPeer: 192.19.22.10...192.19.22.1 IKEv1<br>
VPNPeer: local: [192.19.22.10] uses pre-shared key authentication<br>
VPNPeer: remote: [192.19.22.1] uses pre-shared key authentication<br>
VPNPeer: child: dynamic === dynamic TUNNEL<br>
<br>
Security Associations (1 up, 0 connecting):<br>
VPNPeer[1]: ESTABLISHED 11 seconds ago,<br>
192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]<br>
VPNPeer[1]: IKEv1 SPIs: e53ec81750a41b9c_i 84f72669eb1b150b_r*,<br>
pre-shared key reauthentication in 23 hours<br>
VPNPeer[1]: IKE proposal:<br>
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
VPNPeer{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8bf9eca_i<br>
2d5a8f29_o<br>
VPNPeer{1}: AES_CBC_128/HMAC_SHA1_96/MODP_2048, 400 bytes_i (4 pkts,<br>
9s ago), 400 bytes_o (4 pkts, 9s ago), rekeying in 7 hours<br>
VPNPeer{1}: <a href="http://192.19.22.10/32" rel="noreferrer" target="_blank">192.19.22.10/32</a> === <a href="http://192.19.22.1/32" rel="noreferrer" target="_blank">192.19.22.1/32</a><br>
<br>
<br>
<br>
After IKE Phase 1 rekey:<br>
#ipsec statusall<br>
<br>
Status of IKE charon daemon (weakSwan 5.8.4, Linux 5.5.0-kali2-amd64,<br>
x86_64):<br>
uptime: 6 minutes, since Mar 09 13:32:08 2021<br>
malloc: sbrk 1622016, mmap 0, used 640656, free 981360<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,<br>
scheduled: 5<br>
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509<br>
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey<br>
pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink<br>
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic<br>
counters<br>
<br>
Listening IP addresses:<br>
192.19.22.10<br>
172.19.22.10<br>
172.17.0.1<br>
Connections:<br>
VPNPeer: 192.19.22.10...192.19.22.1 IKEv1<br>
VPNPeer: local: [192.19.22.10] uses pre-shared key authentication<br>
VPNPeer: remote: [192.19.22.1] uses pre-shared key authentication<br>
VPNPeer: child: dynamic === dynamic TUNNEL<br>
<br>
Security Associations (1 up, 0 connecting):<br>
VPNPeer[2]: ESTABLISHED 9 seconds ago,<br>
192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]<br>
VPNPeer[2]: IKEv1 SPIs: e53ec81702d2cc91_i 47da289647a60462_r*,<br>
pre-shared key reauthentication in 23 hours<br>
VPNPeer[2]: IKE proposal:<br>
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
<br>
#####<br>
# charon_debug.log - attached.<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.html" rel="noreferrer" target="_blank">http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.html</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: charon_debug.log<br>
Type: application/octet-stream<br>
Size: 28985 bytes<br>
Desc: not available<br>
URL: <<a href="http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.obj" rel="noreferrer" target="_blank">http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.obj</a>><br><br>
</blockquote></div></div></div>